1CO. 


Information Commissioner’s Office 


Consultation: Age appropriate design code 


Introduction 


The Information Commissioner is seeking feedback on her draft code of practice Age appropriate 
design: a code of practice for online services likely to be accessed by children (the code). 


The code will provide guidance on the design standards that the Commissioner will expect 
providers of online ‘Information Society Services’ (ISS), which process personal data and are likely 
to be accessed by children, to meet. 


The code is now out for public consultation and will remain open until 31 May 2019. The 
Information Commissioner welcomes feedback on the specific questions set out below. 


For this consultation, we will publish all resoonses except for those where the respondent indicates 
that they are an individual acting in a private capacity (e.g. a member of the public or a parent). All 
responses from organisations and individuals responding in a professional capacity (e.g. 
academics, child development experts, sole traders, child minders, education professionals) will be 
published. We will remove email addresses and telephone numbers from these responses but 
apart from this, we will publish them in full. 


For more information about what we do with personal data please see our privacy notice. 


Please note, we are using the platform Snap Surveys to gather this information. Any data collected 
by Snap Surveys for ICO is stored on UK servers. You can read their Privacy Policy here. 


Section 1: Your views on the code 


Is the ‘About t 
Q1 © Yes 
No 


If no, then please provide your reasons for this view. 
Qla 


Is the ‘Services covered by this code’ section clearly communicated? 
Q2 @ Yes 
O No 


If no, then please provide your reasons for this view. 


Section 2: Your views on the draft standards 


There are 16 draft standards in the code. You can comment on all the drafts 
standards, or focus on a single standard. If you do not want to answer questions on a 
standard please press skip. 

The standards are: 


1) Best interests of the child 


4) Detrimental use of data 

5) Policies and community standards 
6) Default settings 

7) Data minimisation 

8) Data sharing 


10) Parental Controls 


12) Nudge techniques 
13) Connected toys and devices 
14) Online tools 


16) Governance and accountability 


Q3 ©) I would like to comment on this standard 


© skip 


Q4 


Q4a 


Q5 


Q5a 


Q6 


Q6a 


Q7 


Q7a 


Q8 


Q8a 


Q9 


Q9a 


Have we communicated our expectations for this standard clearly? 
Yes 


No 
If no, then please give reasons for your answer. 


Do you have any examples that you think could be used to illustrate the 
approach we are advocating to this standard? 


Yes 


No 
If yes, then please give reasons for your answer. 


Do you think this standard gives rise to any unwarranted or unintended 
consequences? 


Yes 
No 
If yes, then please give reasons for your answer. 


Do you envisage any feasibility challenges to online services delivering this 
standard? 

Yes 

No 


If yes, then please provide details of what you think the challenges are and how you 
think they could be overcome? 


Do you think this standard requires a transition period of any longer than 3 months 
after the code comes into force? 


Yes 


No 


If yes, then please provide your reasons for this view, and give an indication of what 
you think a reasonable transition period would be and why. 


Do you know of any online resources that you think could be usefully linked to 
from this section of the code? 


Yes 
No 
If yes, then please provide details (including links). 


Q10 


© I would like to comment on this standard 


©) Skip 


Q11 @ Yes 
©) No 


If no, then please give reasons for your answer. 
Qila 


hink could be used to illustrate the approach we 
are advocating to this standard? 


Q12 ©) Yes 
© No 


If yes, then please give reasons for your answer. 
Q12a 


Q13 @ Yes 


©) No 
If yes, then please give reasons for your answer. 


Qi3a The code should provide greater clarity as to obligations of Data Controllers when 
dealing with those under 18 who are recognised under UK law as capable of entering 
into legally binding contracts. For insurance companies, individuals aged 17 and over 
are able to apply and take out motor insurance policies, with motor insurance 
required by law. Where data controllers are required already under GDPR to provide 
clear and transparent information, it is difficult to understand what additional 
requirements would need to be provided on websites pr over the phone to distinguish 
between 17 year olds and over 18s, particularly when FCA requirements already 
require information to be clearly provided to customers. The proposed code of 
practice should specifically carve out obligations that go beyond GDPR requirements, 
where 17 year olds can enter into legally binding contracts. Clarification should also 
be provided in respect to obligations concerning the provision of direct marketing to 
those individuals, where current existing marketing preference wordings will not 
differentiate between 17 year olds and adults over 18. For example, it would appear 
unreasonable for Controllers to identify 17 years olds and treat them differently given 


Q14 @ Yes 
O No 


Qi4a There is a potential for disruption to be caused to design of insurance websites. There 
does not appear to be an immediate need to make changes specifically to cater for 17 
year olds. Insurers already have FCA obligations to be clear and not mislead 
customers, as well as delivering fair processing and transparency under GDPR. 


Q15 @ Yes 


| 


Q1i5a 3 months is not long enough to mobilise change resources and budget to make 
changes particularly in the online digital space. Changes would need to be scoped; 
transparent wording agreed; change built and tested. 


Q16 (©) Yes 
© No 


Qi6a 


‘Transparency: The privacy information you provide to users, and other 
published terms, policies and community standards, must be concise, 
prominent and in clear language suited to the age of the child. Provide 
additional specific ‘bite-sized’ explanations about how you use personal data at 
the point that use is activated. 

Q17  @ I would like to respond to this standard 


©) Skip 


Have we communicated our expectations for this standard clearly? 
Q18 @ Yes 

© No 

If no, then please give reasons for your answer. 
Q18a 


Q19 ©) Yes 
© No 


If yes, then please give reasons for your answer. 
Q19a 


Q20 @ Yes 
© No 


Q20a As described above, where an over 17 year old is capable of entering into a legally 
binding contract, it would appear unnecessary to require that website owner to have 
enhanced transparency requirements above those already clearly established in the 
GDPR. The Government has deemed that a 17 year old is mentally capable of making 
a legally binding decision (entering into a contract for motor insurance), and as such 
the wording used for adults should be deemed necessary to fulfil transparency 
requirements. 


Q21 


© Yes 
© No 


Q21a There is a potential for disruption to be caused to design of insurance websites. There 


does not appear to be an immediate need to make changes specifically to cater for 17 
year olds. Insurers already have FCA obligations to be clear and not mislead 
customers, as well as delivering fair processing and transparency under GDPR. 


Q22a 3 months is not long enough to mobilise change resources and budget to make 


Q23 


Q23a 


changes particularly in the online digital space. Changes would need to be scoped; 
transparent wording agreed; change built and tested. 


Do you know of any online resources that you think could be usefully linked to from 


this section of the code? 


O Yes 
© No 


If yes, then please provide details (including links). 


Q24 


Q25 


Q25a 


Q26 


Q26a 


Q27 


Q27a 


Q28 


Q28a 


Q29 


Q29a 


have been shown to be detrimental to their wellbeing, or that go against 
industry codes of practice, other regulatory provisions or Government advice. 
O I would like to respond to this standard 


© Skip 


Have we communicated our expectations for this standard clearly? 
© Yes 

©) No 

If no, then please give reasons for your answer. 


Do you have any examples that you think could be used to illustrate the approach we 
are advocating to this standard? 


©) Yes 
O No 
If yes, then please give reasons for your answer. 


Do you think this standard gives rise to any unwarranted or unintended 
consequences? 


© Yes 
O No 
If yes, then please give reasons for your answer. 


Do you envisage any feasibility challenges to online services delivering this standard? 
O Yes 

O No 

If yes, then please provide details of what you think the challenges are and how you 
think they could be overcome? 


Do you think this standard requires a transition period of any longer than 3 
months after the code comes into force? 

© Yes 

©) No 

If yes, then please provide your reasons for this view, and give an indication of what 
you think a reasonable transition period would be and why. 


Do you know of any online resources that you think could be usefully linked to from 
this section of the code? 


Q30 ©) Yes 

©) No 

If yes, then please provide details (including links). 
Q30a 


mmuni Uph our O\ blished terms 
policies and community standards (including but not limited to privacy policies, 
age restriction, behaviour rules and content policies). 

©) I would like to respond to this standard 


© skip 


Q31 


Have we communicated our expectations for this standard clearly? 
Q32 () Yes 

©) No 

If no, then please give reasons for your answer. 
Q32a 


Do you have any examples that you think could be used to illustrate the approach we 
are advocating to this standard? 


Q33 ©) Yes 
©) No 


If yes, then please give reasons for your answer. 
Q33a 


Do you think this standard gives rise to any unwarranted or unintended 
consequences? 


Q34 () Yes 
©) No 


If yes, then please give reasons for your answer. 
Q34a 


Do you envisage any feasibility challenges to online services delivering this 
standard? 

Q35 ©) Yes 
©) No 
If yes, then please provide details of what you think the challenges are and how you 
think they could be overcome? 

Q35a 


Do you think this standard requires a transition period of any longer than 3 months 
after the code comes into force? 

Q36 () Yes 
© No 
If yes, then please provide your reasons for this view, and give an indication of what 
you think a reasonable transition period would be and why. 

Q36a 


Do you know of any online resources that you think could be usefully linked to 
from this section of the code? 


Q37 (©) Yes 
© No 


If yes, then please provide details (including links). 
Q37a 


a different default setting, taking account 


of the best interests of the child). 
Q38 () I would like to respond to this standard 


© skip 


Q39 


Q39a 


Q40 


Q40a 


Q41 


Q41a 


Q42 


Q42a 


Q43 


Q43a 


Q44 


Q44a 


Have we communicated our expectations for this standard clearly? 
Yes 


No 
If no, then please give reasons for your answer. 


Do you have any examples that you think could be used to illustrate the approach we 
are advocating to this standard? 


Yes 


No 
If yes, then please give reasons for your answer. 


Do you think this standard gives rise to any unwarranted or unintended 
consequences? 


Yes 


No 
If yes, then please give reasons for your answer. 


Do you envisage any feasibility challenges to online services delivering this standard? 
) Yes 


No 


If yes, then please provide details of what you think the challenges are and how you 
think they could be overcome? 


Do you think this standard requires a transition period of any longer than 3 months 
after the code comes into force? 


Yes 


No 


If yes, then please provide your reasons for this view, and give an indication of what 
you think a reasonable transition period would be and why. 


Do you know of any online resources that you think could be usefully linked to from 
this section of the code? 


Yes 


No 
If yes, then please provide details (including links). 


Q45 


Q46 


Q46a 


Q47 


Q47a 


Q48 


Q48a 


Q49 


Q49a 


Q50 


Q50a 


O I would like to respond to this standard 


© skip 


Have we communicated our expectations for this standard clearly? 


O Yes 
©) No 


If no, then please give reasons for your answer. 


Do you have any examples that you think could be used to illustrate the approach we 
are advocating to this standard? 


O Yes 
©) No 


If yes, then please give reasons for your answer. 


Do you think this standard gives rise to any unwarranted or unintended 
consequences? 


©) Yes 
©) No 


If yes, then please give reasons for your answer. 


Do you envisage any feasibility challenges to online services delivering this standard? 


O Yes 
©) No 


If yes, then please provide details of what you think the challenges are and how you 
think they could be overcome? 


Do you think this standard requires a transition period of any longer than 3 months 
after the code comes into force? 


O Yes 
©) No 


If yes, then please provide your reasons for this view, and give an indication of what 
you think a reasonable transition period would be and why. 


Do you know of any online resources that you think could be usefully linked to from 
this section of the code? 


Q51 ©) Yes 
©) No 


If yes, then please provide details (including links). 
Q51a 


Q52 (`) I would like to respond to this standard 


© Skip 


Have we communicated our expectations for this standard clearly? 
Q53 ©) Yes 

©) No 

If no, then please give reasons for your answer. 
Q53a 


Do you have any examples that you think could be used to illustrate the approach we 
are advocating to this standard? 


Q54 (C) Yes 

©) No 

If yes, then please give reasons for your answer. 
Q54a 


Do you think this standard gives rise to any unwarranted or unintended 
consequences? 


Q55 ©) Yes 

©) No 

If yes, then please give reasons for your answer. 
Q55a 


Do you envisage any feasibility challenges to online services delivering this standard? 
Q56 (©) Yes 
©) No 


If yes, then please provide details of what you think the challenges are and how you 
think they could be overcome? 


Q56a 


Do you think this standard requires a transition period of any longer than 3 months 
after the code comes into force? 


Q57 ©) Yes 
O No 


If yes, then please provide your reasons for this view, and give an indication of what 
you think a reasonable transition period would be and why. 


Q57a 


Do you know of any online resources that you think could be usefully linked to from 
this section of the code? 


Q58 () Yes 
O No 


If yes, then please provide details (including links). 
Q58a 


=>? © I would like to respond to this standard 


©) Skip 


Q60 @ Yes 

© No 

If no, then please give reasons for your answer. 
Q60a 


Do you have any examples that you think could be used to illustrate the 


approach we are advocating to this standard? 
Q61 ©) Yes 
© No 


If yes, then please give reasons for your answer. 
Q6la 


consequences? 
Q62 @ Yes 
©) No 


Q62a Individuals over 17 can legally buy and enter into a contract for motor insurance. As 
high risk individuals, insurance premiums are usually higher than more experienced 
drivers to cater for this risk. The insurance industry has introduces telematics policies 
to enable insurers to calculate the risk posed by young drivers based on their driving 
style. Young drivers benefit enormously from such products, but location data will 
need to be collected to facilitate the telematics scheme. 


Q63 ©) Yes 
© No 


If yes, then please provide details of what you think the challenges are and how you 
think they could be overcome? 


Q63a 


Q64 () Yes 
© No 


If yes, then please provide your reasons for this view, and give an indication of what 
you think a reasonable transition period would be and why. 


Q64a 


Q65 () Yes 

© No 

If yes, then please provide details (including links). 
Q65a 


Q66 


Q67 


Q67a 


Q68 


Q68a 


Q69 


Q69a 


Q70 


Q70a 


Q71 


Q71a 


O I would like to respond to this standard 


© Skip 


Have we communicated our expectations for this standard clearly? 


O Yes 
©) No 


If no, then please give reasons for your answer. 


Do you have any examples that you think could be used to illustrate the 
approach we are advocating to this standard? 


©) Yes 
O No 


If yes, then please give reasons for your answer. 


Do you think this standard gives rise to any unwarranted or unintended 
consequences? 


©) Yes 
©) No 


If yes, then please give reasons for your answer. 


Do you envisage any feasibility challenges to online services delivering this standard? 
O Yes 
©) No 


If yes, then please provide details of what you think the challenges are and how you 
think they could be overcome? 


Do you think this standard requires a transition period of any longer than 3 
months after the code comes into force? 


©) Yes 
O No 


If yes, then please provide your reasons for this view, and give an indication of what 
you think a reasonable transition period would be and why. 


Do you know of any online resources that you think could be usefully linked to from 
this section of the code? 


Q72 Ọ Yes 

©) No 

If yes, then please provide details (including links). 
Q72a 


Profiling: Switch options which use profiling off by default (unless you can 
demonstrate a compelling reason for profiling, taking account of the best 
interests of the child). Only allow profiling if you have appropriate measures in 
place to protect the child from any harmful effects (in particular, being fed 
content that is detrimental to their health or wellbeing). 


Q73 @ I would like to respond to this standard 
©) Skip 


Have we communicated our expectations for this standard clearly? 
Q74 @ Yes 

©) No 

If no, then please give reasons for your answer. 
Q74a 


Q75 ©) Yes 

© No 

If yes, then please give reasons for your answer. 
Q75a 


Q76 @ Yes 
O No 


Q76a Motor insurance contracts will require profiling to be conducted and an automated 
decision to generate insurance premiums. It will be incredibly difficult to distinguish 
17 year olds from our standard pricing and underwriting process. Such profiling is 
necessary to enter into and perform a contract of insurance. 


Q77 _(.) Yes 
© No 


If yes, then please provide details of what you think the challenges are and how you 
think they could be overcome? 


Q77a 


Q78 C) Yes 
© No 


If yes, then please provide your reasons for this view, and give an indication of what 
you think a reasonable transition period would be and why. 


Q78a 


Q79 © Yes 
© No 


If yes, then please provide details (including links). 
Q79a 


Q80 


Q81 


Q8ia 


Q82 


Q82a 


Q83 


Q83a 


Q84 


Q84a 


Q85 


Q85a 


| 


to provide unnecessary personal data, weaken or turn off privacy protections, 


or extend use. 


O I would like to respond to this standard 


© Skip 


Have we communicated our expectations for this standard clearly? 
© Yes 
O No 


If no, then please give reasons for your answer. 


Do you have any examples that you think could be used to illustrate the 
approach we are advocating to this standard? 


©) Yes 
©) No 
If yes, then please give reasons for your answer. 


Do you think this standard gives rise to any unwarranted or unintended 
consequences? 

©) Yes 

©) No 

If yes, then please give reasons for your answer. 


Do you envisage any feasibility challenges to online services delivering this 
standard? 

©) Yes 

©) No 

If yes, then please provide details of what you think the challenges are and how you 
think they could be overcome? 


Do you think this standard requires a transition period of any longer than 3 
months after the code comes into force? 


©) Yes 

©) No 

If yes, then please provide your reasons for this view, and give an indication of what 
you think a reasonable transition period would be and why. 


Q86 


Q86a 


Q87 


Q88 


Q88a 


Q89 


Q89a 


Q90 


Q90a 


Q91 


Q9ia 


Do you know of any online resources that you think could be usefully linked to 
from this section of the code? 


©) Yes 
©) No 


If yes, then please provide details (including links). 


Connected toys and devices: If you provide a connected toy or device ensure 
you include effective tools to enable compliance with this code 
©) I would like to respond to this standard 


© skip 


Have we communicated our expectations for this standard clearly? 


O Yes 
©) No 


If no, then please give reasons for your answer. 


Do you have any examples that you think could be used to illustrate the approach we 
are advocating to this standard? 


O) Yes 
©) No 


If yes, then please give reasons for your answer. 


Do you think this standard gives rise to any unwarranted or unintended 
consequences? 


©) Yes 
©) No 


If yes, then please give reasons for your answer. 


Do you envisage any feasibility challenges to online services delivering this 
standard? 


O Yes 
©) No 


If yes, then please provide details of what you think the challenges are and how you 
think they could be overcome? 


Do you think this standard requires a transition period of any longer than 3 months 
after the code comes into force? 

Q92 Ọ Yes 
O No 


If yes, then please provide your reasons for this view, and give an indication of what 
you think a reasonable transition period would be and why. 


Q92a 


Do you know of any online resources that you think could be usefully linked to from 
this section of the code? 


Q93 Ọ Yes 
O No 


If yes, then please provide details (including links). 
Q93a 


Q9%  @ I would like to respond to this standard 


©) Skip 


QS Q Yes 
© No 


If no, then please give reasons for your answer. 
Q95a 


Q96 C) Yes 
© No 


If yes, then please give reasons for your answer. 
Q96a 


Do you think this standard gives rise to any unwarranted or unintended 
consequences? 
Q97 @ Yes 


©) No 
If yes, then please give reasons for your answer. 


Q97a Ifa 17 year old is treated the same as an 18 year old under law in respect to their 
ability to enter into a contract for motor insurance, then there does not appear to be 
a compelling need to complete a DPIA solely to cover the issuing of a motor policy to 
17 year olds. The existing GDPR provisions and ICO guidance on high risk DPIAs 
already provide sufficient protection to data subjects. 


Do you envisage any feasibility challenges to online services delivering this standard? 
Q98 ©) Yes 

© No 

If yes, then please provide details of what you think the challenges are and how you 

think they could be overcome? 


Q98a 


Do you think this standard requires a transition period of any longer than 3 months 
after the code comes into force? 


Q99 Ọ Yes 
© No 


If yes, then please provide your reasons for this view, and give an indication of what 
you think a reasonable transition period would be and why. 


Q99a 


Q100 Q) Yes 
© No 


Q100 If yes, then please provide details (including links). 
a 


Q101 


O I would like to respond to this standard 


© Skip 


Have we communicated our expectations for this standard clearly? 
Q102 (©) Yes 
O No 


Q102 If no, then please give reasons for your answer. 
a 


Q103 


Q103 
a 


Q104 


Q104 
a 


Q105 


Q105 
a 


Do you have any examples that you think could be used to illustrate the approach we 
are advocating to this standard? 


Yes 


No 
If yes, then please give reasons for your answer. 


Do you think this standard gives rise to any unwarranted or unintended 
consequences? 


Yes 


No 
If yes, then please give reasons for your answer. 


Do you envisage any feasibility challenges to online services delivering this standard? 
Yes 


No 


If yes, then please provide details of what you think the challenges are and how you 
think they could be overcome? 


Do you think this standard requires a transition period of any longer than 3 
months after the code comes into force? 
Q106 ©) Yes 


No 
If yes, then please provide your reasons for this view, and give an indication of what 
you think a reasonable transition period would be and why. 


Q106 
a 


Do you know of any online resources that you think could be usefully linked to 
from this section of the code? 


Q107 Yes 

No 
Q107 If yes, then please provide details (including links). 
a 


Section 3: Your views on the code sections 


Is the 'Enforcement of this code’ section of the code clearly communicated? 
Q108 Q Yes 
O No 


If no, then please provide your reasons for this view. 


Q108 
a 


Is the 'Glossary' section of the code clearly communicated? 
Q109 Q Yes 


©) No 


Q109 If no, then please provide your reasons for this view. 
a 


Are there any key terms missing from the 'Glossary'? 
Q110 ©) Yes 


© No 


Q110 If yes, then please provide your reasons for this view. 


a 
Is the 'Annex A: Age and developmental stages' section of the code clearly 
communicated? 

Q111 @ Yes 


©) No 


Q111 If no, then please provide your reasons for this view. 
a 


Q112 @ Yes 
O No 
If yes, then please provide your reasons for this view. 


Q112 It will be important to include a distinction for 17 year olds who can enter into legally 
a binding contracts in order to limit the application of the code to this scenario. 
Adequate protection is already in place for 17 year old motor insurance customers. 


Do you know of any online resources that could be usefully linked to the 
‘Annex A: Age and developmental stages' section of the code? 


Q113 © Yes 
©) No 


Q113 If yes, then please provide details (including links). 
a 


Is the 'Annex B: Lawful basis for processing’ section of the code clearly 


communicated? 
Q114 @ Yes 
O No 


Q114 If no, then please provide your reasons for this view. 
a 


Q115 @ Yes 
©) No 


Q115 If no, then please provide your reasons for this view. 
a 


Q116 (©) Yes 
© No 


Q116 If yes, then please provide your reasons for this view. 
a 


Section 4: About you 


Are you answering as: 

Q117 ©) A body representing the views or interests of children 
O A body representing the views or interests of parents 
©) A child development expert 
©) An academic 
O An individual acting in another professional capacity 
© A provider of an ISS likely to be accessed by children 
O A trade association representing ISS providers 


O An individual acting in a private capacity (e.g. someone providing their views as a 
member of the public of the public or a parent)? 


©) An ICO employee 
O Other 
Q117 Please specify: 


Q117 Please specify: 


Please state your name or if you're answering on behalf of an organisation, 
your organisation's name. 


Q118 Direct Line Group - please note as an insurer we do not target children; however, 17 year olds can 


niirchaca motor ineiranca anlina 


Thank you for responding to this consultation 
We value your input. 


